Re: /dev/random is probably not

To: Jack Lloyd <lloyd@xxxxxxxxxxxxx>
Subject: Re: /dev/random is probably not
From: Alexey Toptygin <alexeyt@xxxxxxxxxxxxx>
Date: Wed, 6 Jul 2005 11:37:00 +0000 (UTC)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050705164514.GG11643@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200507011710.35815.mycroft@xxxxxxxxxx> <42C648C3.5000301@xxxxxxxxxxxx> <auto-000024493417@xxxxxxxxxxxxxxxxx> <20050705164514.GG11643@xxxxxxxxxxxxx>

On Tue, 5 Jul 2005, Jack Lloyd wrote:

Assuming the PRNG is any good, it shouldn't matter if an attacker canmanipulate such timings, because (by definition) a good PRNG will stillbehave correctly even if an attacker does feed it lots of deliberatelybad data (as long as the PRNG also has been fed with a sufficient amountof unguessable 'good' input as well, of course).

In the case of Linux, this still causes the estimate of how much 'good'entropy is in the pool to be inflated. Some applications may rely on thefact that /dev/random is backed by 'real' entropy, whereas /dev/urandomcan be pure PRNG output.

IMO, all this discussion is well and good, but it would be much moreproductive for someone to settle the question empirically.


                        Alexey

References:
- /dev/random is probably not
  - From: Charles M. Hannum
- Re: /dev/random is probably not
  - From: Chiaki
- Re: /dev/random is probably not
  - From: Zow
- Re: /dev/random is probably not
  - From: Jack Lloyd

Prev by Date: Re: /dev/random is probably not
Next by Date: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
Previous by thread: Re: /dev/random is probably not
Next by thread: Re: /dev/random is probably not
Index(es):
- Date
- Thread